b'                    AUDIT OF SELECTED SBA COMPUTER\n                       GENERAL SUPPORT SYSTEMS\n                       AUDIT REPORT NUMBER 4-41\n\n                                 SEPTEMBER 10, 2004\n\n\n\n\nThis report may contain proprietary information subject to the provisions of 18 USC 1905 and\nmust not be released to the public or another agency without permission of the Office of\nInspector General.\n\x0c                       U.S. SMALL BUSINESS ADMINISTRATION\n                           OFFICE OF INSPECTOR GENERAL\n                               WASHINGTON, D.C. 20416\n\n                                                               AUDIT REPORT\n                                                       Issue Date: September 10, 2004\n                                                       Number: 4-41\n\n\n\nTo:            Stephen D. Galvan\n               Chief Information Officer\n\n\n\nFrom:          Robert G. Seabrooks,\n               Assistant Inspector General for Auditing\n\nSubject:       Audit of Selected SBA Computer General Support Systems\n\n       Attached is the public version of the audit report on Selected SBA General Support\nSystems issued by Cotton & Company LLP. The report was issued as LIMITED-OFFICIAL-\nUSE. Distribution of the full report requires specific authorization by the SBA Office of Chief\nInformation Officer (OCIO) or SBA Office of the Inspector General (OIG).\n\n        The auditors reviewed the selected general support systems settings and configurations\nagainst standards issued by the National Institute of Standards and Technologies (NIST),\nNational Security Administration (NSA), Center for Internet Security (CIS) and the\nmanufacturer(s) guidelines.\n\n        The Federal Information Security Management Act (FISMA) requires each agency to\ndevelop minimally acceptable system configuration requirements and ensure compliance with\nthose requirements. Systems that are implemented with secure configurations against a standard\nbenchmark have less vulnerabilities and are better able to thwart network attacks.\n\n       The auditors concluded that the selected SBA general support systems and components\nreviewed contained a number of vulnerabilities which increased the potential for security\nexposures to exist and go undetected. Additionally, SBA\xe2\x80\x99s general support systems and\ncomponents did not follow a standard system configuration. This generally occurred because\nSBA had not implemented standard configurations for its general support computer operating\nsystems and components. Nor had SBA ensured that changes to the system configurations were\nmade in a controlled manner. As a result, SBA\xe2\x80\x99s general support computer operating systems\nwere potentially vulnerable to unauthorized utilization or inefficient operation.\n\x0c       SBA was in general agreement with the findings and recommendations, but did not\nprovide a written response to the draft audit report. Actions to address the finding and\nrecommendations will be evaluated during the audit resolution process.\n\n      The findings in this report are based on the auditors\xe2\x80\x99 conclusions and the report\nrecommendations are subject to review, management decision and action by your office in\naccordance with existing Agency procedures for follow-up and resolution.\n\n       Please provide us your proposed management decisions on October 31, 2004 on the\nattached SBA Forms 1824, Recommendation Action Sheet. If you disagree with the\nrecommendations, please provide your reasons in writing.\n\n       Should you or your staff have any questions, please contact Jeffrey R. Brindle, Director,\nInformation Technology and Financial Management Group at (202) 205-7490.\n\nAttachments\n\x0c                                     September 9, 2004\n\n\n\n\nSubject:      Audit of Selected Computer General Support Systems and Controls at the U.S.\n              Small Business Administration\n\n\n\nWe were engaged to conduct a performance audit of selected general support systems and their\nassociated controls at the U.S. Small Business Administration (SBA). We utilized various best\npractices from National Institute of Standards and Technology (NIST), National Security Agency\n(NSA) and Center for Internet Security (CIS) as criteria for this project. The objective of our\nwork was not to provide assurance on overall internal control. Consequently, we do not provide\nan opinion on internal control.\n\nThis report is intended solely for the information and use of SBA management. We would like\nto express our appreciation to the SBA representatives who assisted us in completing our work.\nThey were always courteous, helpful, and professional.\n\nIf you have any questions or comments about this report, please contact me at your convenience.\nThank you.\n\nVery truly yours,\n\nCOTTON & COMPANY LLP\n\n         /S/\nLoren Schwartz, CPA, CISA\n\x0c PERFORMANCE AUDIT OF SELECTED COMPUTER GENERAL SUPPORT SYSTEMS\n      AND CONTROLS AT THE U.S. SMALL BUSINESS ADMINISTRATION\n\n                                  EXECUTIVE SUMMARY\n\nBACKGROUND\n\nThis report specifically covers our review of selected computer general support systems\nincluding servers, routers and firewalls at SBA headquarters. These items were selected, because\nthey support applications deemed critical to SBA\xe2\x80\x99s operations.\n\nOBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe overall objective of our audit was to review existing information security controls and\nidentify weaknesses impacting certain components of the general support systems. Our review\nwas not intended to result in the issuance of an opinion, and we do not issue an opinion as\ndefined by the American Institute of Certified Public Accountants. The individual scope,\nobjectives and methodologies of our review(s) are included in the audit report section for each\nplatform or system that we reviewed.\n\nWe conducted this review in accordance with Generally Accepted Government Auditing\nStandards for Performance Audits and accordingly, we performed such tests and other auditing\nprocedures as necessary to meet the review objective. A review of the entire internal control\nstructure was not required for the scope of this audit.\n\nWe performed fieldwork from March through June 2004 at SBA headquarters located in\nWashington, D.C., and at Cotton & Company\xe2\x80\x99s Alexandria, Virginia, office.\n\nSUMMARY OF FINDINGS AND RECOMMENDATIONS\n\nSBA\xe2\x80\x99s computer general support systems and components (UNIX Solaris, Internal and AT&T\nCheckpoint Firewalls, and Cisco Routers) contained a number of vulnerabilities which increase\nthe potential for security exposures to exist and go undetected. Additionally, SBA\xe2\x80\x99s general\nsupport systems and components (UNIX Solaris, Internal and AT&T Checkpoint Firewalls, and\nCisco Routers) did not follow a standard system configuration. This generally occurred because\nSBA had not implemented standard configurations for its general support computer operating\nsystems and components. Nor had SBA ensured that changes to the system configurations were\nmade in a controlled manner. As a result, SBA\xe2\x80\x99s general support computer operating systems\nwere potentially vulnerable to unauthorized utilization or inefficient operation.\n\nWe recommend that SBA take actions to minimize the risk of security deficiencies by correcting\nthe weaknesses disclosed in this report. Specific recommendations for resolving these\nweaknesses are detailed in the results section of this report. Due to the types of vulnerabilities\nidentified, certain recommendations are made to SBA systems as a whole including contractor\noperated systems to ensure that vulnerabilities identified in this report may be addressed within\nthe Agency for all related computer systems and platforms.\n\x0c                                                     Attachment A\n\n\n                               REPORT DISTRIBUTION\n\nRecipient                                            Copies\n\n\nAssociate Deputy Administrator for\n  Management & Administration                           1\n\nGeneral Counsel                                         3\n\nGeneral Accounting Office                               1\n\nOffice of the Chief Financial Officer\n  Attention: Jeff Brown                                 1\n\x0c'